[squid-dev] [PATCH] Secure ICAP
Tsantilas Christos
chtsanti at users.sourceforge.net
Thu Apr 9 14:43:24 UTC 2015
This patch adds support for ICAP services that require SSL/TLS transport
connections.
To mark an ICAP service as "secure", use an "icaps://" service URI
scheme when listing your service via an icap_service directive.
Squid uses port 11344 for Secure ICAP by default, following another
popular proxy convention. The old 1344 default for plain ICAP ports has
not changed.
This patch should applied after the "server_name" and "splicing resumed
sessions" patches applied to trunk, and after re-merged with the trunk.
However we can start the discussion if you agree.
Technical Details
==================
This patch:
- Splits Ssl::PeerConnector class into Ssl::PeerConnector parent and
two kids: Ssl::BlindPeerConnector, a basic SSL connector for
cache_peers, and Ssl::PeekingPeerConnector, a peek-and-splice SSL
connector for HTTP servers.
- Adds a third Ssl::IcapPeerConnector kid to connect to Secure ICAP
servers.
- Fixes ErrorState class to avoid crashes on nil ErrorState::request
member. (Ssl::IcapPeerConnector may generate an ErrorState with a nil
request).
- Modifies the ACL peername to use the Secure ICAP server name as
value while connecting to an ICAP server. This is useful to make SSL
certificate policies based on ICAP server name. However, this change is
undocumented until we decide whether a dedicated ACL would be better.
This is a Measurement Factory project.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Secure-ICAP-t4.patch
Type: text/x-patch
Size: 99320 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20150409/0a10ea80/attachment-0001.bin>
More information about the squid-dev
mailing list